Add doc on new field request.kubernetes_resources
#48480
Conversation
github-actions
bot
requested review from
mmcallister,
nklaassen,
ptgott,
r0mant,
xinding33 and
zmb3
kimlisa
added
backport/branch/v16
backport/branch/v17
no-changelog
|
🤖 Vercel preview here: https://docs-gtbutz7i0-goteleport.vercel.app/docs/ver/preview |
| - "kube-access" | ||
| kubernetes_resources: | ||
| - kind: "namespace" | ||
| deny: {} |
| kubernetes_resources: | ||
| - kind: "namespace" | ||
| - kind: "pod" | ||
| deny: {} |
| - "kube-access" | ||
| kubernetes_resources: | ||
| - kind: "*" | ||
| deny: {} |
docs/pages/includes/role-spec.mdx
Outdated
| # 'kubernetes_resources' restricts what kinds of Kubernetes resources | ||
| # a user can access request to. The example defined below, enforces users to | ||
| # request only Kubernetes namespaces. Default (when nothing is defined) allows | ||
| # any Kubernetes resource request. |
There was a problem hiding this comment.
| # any Kubernetes resource request. | |
| # access requests to any Kubernetes resource or the entire cluster. |
docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx
Outdated
Show resolved
Hide resolved
| @@ -406,6 +406,72 @@ Requesting access to a Kubernetes Namespace allows you to access all resources | |||
| in that namespace but you won't be able to access any other supported resources | |||
| in the cluster. | |||
|
|
|||
| ##### Enforce users to request only allowed Kubernetes Resources | |||
There was a problem hiding this comment.
how does this feature interact with the previous paragraph, should it be edited at all?
There was a problem hiding this comment.
it starts from here https://docs-bgpfzlzb8-goteleport.vercel.app/docs/admin-guides/access-controls/access-requests/resource-requests/#restrict-access-requests-to-specific-kubernetes-resources
and content organization is like:
> Restrict the resources a user can request access to
> kube_cluster
> Kubernetes resources
> Preventing unintended access to Kubernetes resources
> Restrict Access Requests to specific Kubernetes resources
| The following role assigned to a user, restricts access requesting to only Kubernetes namespaces. | ||
| If a user attempts to make a request to Kubernetes resources other than `namespace` then the request | ||
| will be rejected: |
There was a problem hiding this comment.
What does requesting access to a namespace even mean? Do you get access to anything within that namespace? Could we either explain that or use a simpler kind for this example like pod or something?
There was a problem hiding this comment.
i would like to keep it as namespace example as we think that'll be the most often used value
the section above this section explains restricting Kubernetes access.
i added this to the bottom of my section:
The `request.kubernetes_resources` field only restricts what `kinds` of Kubernetes resource requests are allowed.
To control Kubernetes access to these resources see
[Preventing unintended access to Kubernetes resources](#thehash)
section for more details.does that help?
docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx
Outdated
Show resolved
Hide resolved
docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx
Outdated
Show resolved
Hide resolved
| The following role assigned to a user, restricts users from access requesting to a Kubernetes cluster but | ||
| allows requesting to any Kubernetes resources: |
There was a problem hiding this comment.
| The following role assigned to a user, restricts users from access requesting to a Kubernetes cluster but | |
| allows requesting to any Kubernetes resources: | |
| The following role, when assigned to a user, allows them to request access to any specific | |
| Kubernetes resource, but does *not* allow requesting access to the entire cluster. |
There was a problem hiding this comment.
i removed the mention of not allowing requesting access to the entire cluster here, and moved it towards the beginning of the section, see comment: https://github.com/gravitational/teleport/pull/48480/files#r1830229498
There was a problem hiding this comment.
btw, you and zac both gave review around same time i think, i took some of zac's suggestion over yours (or tried to combine the best parts)
docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx
Outdated
Show resolved
Hide resolved
docs/pages/includes/role-spec.mdx
Outdated
| @@ -350,6 +350,13 @@ spec: | |||
| # resources accessible by the listed roles (enterprise-only) | |||
| search_as_roles: ['access'] | |||
|
|
|||
| # 'kubernetes_resources' restricts what kinds of Kubernetes resources | |||
| # a user can access request to. The example defined below, enforces users to | |||
There was a problem hiding this comment.
| # a user can access request to. The example defined below, enforces users to | |
| # a user can request access to. In the below example, users can |
| deny: {} | ||
| ``` | ||
|
|
||
| By default, when `request.kubernetes_resources` field is not configured, there are no enforcements and |
There was a problem hiding this comment.
| By default, when `request.kubernetes_resources` field is not configured, there are no enforcements and | |
| If the `request.kubernetes_resources` field is not configured, then |
| a user can make request to any Kubernetes resources including its cluster. | ||
|
|
||
| See related section about [Kubernetes Resources](../../../../enroll-resources/kubernetes-access/controls.mdx/#kubernetes_resources) | ||
| to see a list of supported `kind`. Note that only the `kind` field is supported. |
There was a problem hiding this comment.
| to see a list of supported `kind`. Note that only the `kind` field is supported. | |
| to see a list of supported `kind` values. |
| The following role assigned to a user, restricts users from access requesting to a Kubernetes cluster but | ||
| allows requesting to any Kubernetes resources: |
There was a problem hiding this comment.
| The following role assigned to a user, restricts users from access requesting to a Kubernetes cluster but | |
| allows requesting to any Kubernetes resources: | |
| The following role restricts users from requesting access to a Kubernetes cluster but | |
| allows requesting to any Kubernetes resources: |
- Remove "assigned to a user." The sentence reads just as well without it.
- "Access requesting" is not a verb. Let's say "requesting access" instead.
- I don't quite understand the example - how does it restrict users from requesting access to kube clusters?
There was a problem hiding this comment.
i removed the restricting users from requesting access to kube cluster phrase from this example. instead i moved it to the beginning of section like this:
The `request.kubernetes_resources` field allows you to restrict what kinds of Kubernetes
resources a user can request access to. Configuring this field to any value will disallow
requesting access to the entire Kubernetes cluster.
If the `request.kubernetes_resources` field is not configured, then a user can request access
to any Kubernetes resources, including the entire Kubernetes cluster.
<... insert exmaples>
does this make more sense?
| deny: {} | ||
| ``` | ||
|
|
||
| The following role assigned to a user, restricts access requesting to only Kubernetes namespaces and/or pods. |
There was a problem hiding this comment.
| The following role assigned to a user, restricts access requesting to only Kubernetes namespaces and/or pods. | |
| The following role allows users to request access only to Kubernetes namespaces and/or pods. |
| The `request.kubernetes_resources` field allows you to restrict what kinds of Kubernetes | ||
| resources a user can access request to. | ||
|
|
||
| The following role assigned to a user, restricts access requesting to only Kubernetes namespaces. |
There was a problem hiding this comment.
| The following role assigned to a user, restricts access requesting to only Kubernetes namespaces. | |
| The following role allows users to request access to Kubernetes namespaces. |
| ##### Enforce users to request only allowed Kubernetes Resources | ||
|
|
||
| The `request.kubernetes_resources` field allows you to restrict what kinds of Kubernetes | ||
| resources a user can access request to. |
There was a problem hiding this comment.
| resources a user can access request to. | |
| resources a user can request access to. |
| @@ -406,6 +406,72 @@ Requesting access to a Kubernetes Namespace allows you to access all resources | |||
| in that namespace but you won't be able to access any other supported resources | |||
| in the cluster. | |||
|
|
|||
| ##### Enforce users to request only allowed Kubernetes Resources | |||
There was a problem hiding this comment.
| ##### Enforce users to request only allowed Kubernetes Resources | |
| ##### Restrict Access Requests to specific Kubernetes resources |
|
🤖 Vercel preview here: https://docs-bgpfzlzb8-goteleport.vercel.app/docs/ver/preview |
public-teleport-github-review-bot
bot
removed request for
mmcallister,
xinding33 and
ptgott
kimlisa
force-pushed
the
lisa/update-doc
branch
from
a21d409 to
42d36e3
Compare
|
🤖 Vercel preview here: https://docs-lahad8tpw-goteleport.vercel.app/docs/ver/preview |
kimlisa
force-pushed
the
lisa/update-doc
branch
from
42d36e3 to
17b27b9
Compare
|
🤖 Vercel preview here: https://docs-n5ovm722g-goteleport.vercel.app/docs/ver/preview |
kimlisa
force-pushed
the
lisa/update-doc
branch
from
17b27b9 to
447d6c8
Compare
|
🤖 Vercel preview here: https://docs-8ijud65tx-goteleport.vercel.app/docs/ver/preview |
part of #46742
vercel link to new section:
https://docs-bgpfzlzb8-goteleport.vercel.app/docs/admin-guides/access-controls/access-requests/resource-requests/#restrict-access-requests-to-specific-kubernetes-resources
new role spec link:
https://docs-gtbutz7i0-goteleport.vercel.app/docs/reference/access-controls/roles/#example-role-specification